aboutsummaryrefslogtreecommitdiffstats
path: root/test/security
diff options
context:
space:
mode:
authorPawel Wieczorek <p.wieczorek2@samsung.com>2020-03-18 12:38:30 +0100
committerBartek Grzybowski <b.grzybowski@partner.samsung.com>2020-03-25 13:08:24 +0000
commit328bcfbce8d97a66b975ee45cd69b30cdb727aef (patch)
tree36fbb850dbca01e7bdfe09cbbc4e154a2fae3300 /test/security
parent8a7af5c45393636ab82ff1932b7d14224e449034 (diff)
Add "expected failure" support to non-SSL NodePort scanner
This patch makes scanner compatible with its shell predecessor. The same "expected failure" list format is used i.e. # Comment line; will be ignored SERVICE1 NODEPORT1 SERVICE2 NODEPORT2 Single space character is used as a field separator. Issue-ID: SECCOM-261 Change-Id: Ieedd4e98a83ffe242c695133fdf7342e17efa9a2 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security')
-rw-r--r--test/security/sslendpoints/README14
-rw-r--r--test/security/sslendpoints/main.go50
2 files changed, 61 insertions, 3 deletions
diff --git a/test/security/sslendpoints/README b/test/security/sslendpoints/README
index bf39f0148..ba21b12ea 100644
--- a/test/security/sslendpoints/README
+++ b/test/security/sslendpoints/README
@@ -14,6 +14,11 @@ Configuration
``-kubeconfig``
Optional unless ``$HOME`` is not set. Defaults to ``$HOME/.kube/config``.
+``-xfail``
+ Optional list of services with corresponding NodePorts which do not use SSL
+ tunnels. These ports are known as "expected failures" and will not be
+ checked.
+
Build (local)
~~~~~~~~~~~~~
@@ -70,7 +75,7 @@ Command (local)
.. code-block:: shell
- $ bin/sslendpoints [-kubeconfig KUBECONFIG]
+ $ bin/sslendpoints [-kubeconfig KUBECONFIG] [-xfail XFAIL]
Command (Docker)
~~~~~~~~~~~~~~~~
@@ -83,6 +88,13 @@ Command (Docker)
$ docker run --rm --volume $KUBECONFIG:/opt/config \
sslendpoints-build-img /bin/sslendpoints -kubeconfig /opt/config
+ $ docker run --rm \
+ --volume $KUBECONFIG:/opt/config \
+ --volume $XFAIL:/opt/xfail \
+ sslendpoints-build-img /bin/sslendpoints \
+ -kubeconfig /opt/config
+ -xfail /opt/xfail
+
Output
~~~~~~
diff --git a/test/security/sslendpoints/main.go b/test/security/sslendpoints/main.go
index e5a76eb78..8c136d5c4 100644
--- a/test/security/sslendpoints/main.go
+++ b/test/security/sslendpoints/main.go
@@ -1,6 +1,7 @@
package main
import (
+ "encoding/csv"
"flag"
"log"
"os"
@@ -18,17 +19,47 @@ import (
const (
ipv4AddrType = "ipv4"
+
+ xfailComma = ' '
+ xfailComment = '#'
+ xfailFields = 2
+)
+
+var (
+ kubeconfig *string
+ xfailName *string
)
func main() {
- var kubeconfig *string
if home := os.Getenv("HOME"); home != "" {
kubeconfig = flag.String("kubeconfig", filepath.Join(home, ".kube", "config"), "(optional) absolute path to the kubeconfig file")
} else {
kubeconfig = flag.String("kubeconfig", "", "absolute path to the kubeconfig file")
}
+ xfailName = flag.String("xfail", "", "(optional) absolute path to the expected failures file")
flag.Parse()
+ var xfails [][]string
+ if *xfailName != "" {
+ xfailFile, err := os.Open(*xfailName)
+ if err != nil {
+ log.Printf("Unable to open expected failures file: %v", err)
+ log.Println("All non-SSL NodePorts will be reported")
+ }
+ defer xfailFile.Close()
+
+ r := csv.NewReader(xfailFile)
+ r.Comma = xfailComma
+ r.Comment = xfailComment
+ r.FieldsPerRecord = xfailFields
+
+ xfails, err = r.ReadAll()
+ if err != nil {
+ log.Printf("Unable to read expected failures file: %v", err)
+ log.Println("All non-SSL NodePorts will be reported")
+ }
+ }
+
// use the current context in kubeconfig
config, err := clientcmd.BuildConfigFromFlags("", *kubeconfig)
if err != nil {
@@ -67,7 +98,22 @@ func main() {
os.Exit(0)
}
- // TODO: filter out expected failures here before running the scan
+ // filter out expected failures here before running the scan
+ for _, xfail := range xfails {
+ port, err := strconv.Atoi(xfail[1])
+ if err != nil {
+ log.Printf("Unable to parse port expected to fail: %v", err)
+ continue
+ }
+ service, ok := nodeports[uint16(port)]
+ if !ok {
+ continue
+ }
+ if service != xfail[0] {
+ continue
+ }
+ delete(nodeports, uint16(port))
+ }
// extract ports for running the scan
var ports []string